publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
purge-keys " DNS_KASP_PURGE_KEYS "; \n\
+ signatures-jitter " DNS_KASP_SIG_JITTER "; \n\
signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\
signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\
signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\
parent-propagation-delay PT1H;
publish-safety PT3600S;
retire-safety PT3600S;
+ signatures-jitter PT12H;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
publish-safety PT3600S;
purge-keys P90D;
retire-safety PT3600S;
+ signatures-jitter PT12H;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
unforeseen events. This increases the time a key remains published
after it is no longer active. The default is ``PT1H`` (1 hour).
+.. namedconf:statement:: signatures-jitter
+ :tags: dnssec
+ :short: Specifies a range for signatures expirations.
+
+ To prevent all signatures from expiring at the same moment, BIND 9 may
+ vary the validity interval of individual signatures. The validity of a
+ newly generated signatures is in range between :any:`signatures-validity`
+ (maximum) and :any:`signatures-validity` minus :any:`signatures-jitter`
+ (minimum). The default jitter is 12 hours.
+
.. namedconf:statement:: signatures-refresh
:tags: dnssec
:short: Specifies how frequently an RRSIG record is refreshed.
purge-keys P90D;
// Signature timings
+ signatures-jitter 12h;
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
publish-safety <duration>;
purge-keys <duration>;
retire-safety <duration>;
+ signatures-jitter <duration>;
signatures-refresh <duration>;
signatures-validity <duration>;
signatures-validity-dnskey <duration>;
ISC_LINK(struct dns_kasp) link;
/* Configuration: signatures */
+ uint32_t signatures_jitter;
uint32_t signatures_refresh;
uint32_t signatures_validity;
uint32_t signatures_validity_dnskey;
#define DNS_KASP_VALID(kasp) ISC_MAGIC_VALID(kasp, DNS_KASP_MAGIC)
/* Defaults */
+#define DNS_KASP_SIG_JITTER "PT12H"
#define DNS_KASP_SIG_REFRESH "P5D"
#define DNS_KASP_SIG_VALIDITY "P14D"
#define DNS_KASP_SIG_VALIDITY_DNSKEY "P14D"
*\li signature refresh interval.
*/
+uint32_t
+dns_kasp_sigjitter(dns_kasp_t *kasp);
+/*%<
+ * Get signature jitter value.
+ *
+ * Requires:
+ *
+ *\li 'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li signature jitter value.
+ */
+
+void
+dns_kasp_setsigjitter(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set signature jitter value.
+ *
+ * Requires:
+ *
+ *\li 'kasp' is a valid, thawed kasp.
+ */
+
uint32_t
dns_kasp_sigrefresh(dns_kasp_t *kasp);
/*%<
return (kasp->signatures_validity - kasp->signatures_refresh);
}
+uint32_t
+dns_kasp_sigjitter(dns_kasp_t *kasp) {
+ REQUIRE(DNS_KASP_VALID(kasp));
+ REQUIRE(kasp->frozen);
+
+ return (kasp->signatures_jitter);
+}
+
+void
+dns_kasp_setsigjitter(dns_kasp_t *kasp, uint32_t value) {
+ REQUIRE(DNS_KASP_VALID(kasp));
+ REQUIRE(!kasp->frozen);
+
+ kasp->signatures_jitter = value;
+}
+
uint32_t
dns_kasp_sigrefresh(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
const char *kaspname = NULL;
dns_kasp_t *kasp = NULL;
size_t i = 0;
- uint32_t sigrefresh = 0, sigvalidity = 0;
+ uint32_t sigjitter = 0, sigrefresh = 0, sigvalidity = 0;
uint32_t dnskeyttl = 0, dsttl = 0, maxttl = 0;
uint32_t publishsafety = 0, retiresafety = 0;
uint32_t zonepropdelay = 0, parentpropdelay = 0;
maps[i] = NULL;
/* Configuration: Signatures */
+ sigjitter = get_duration(maps, "signatures-jitter",
+ DNS_KASP_SIG_JITTER);
+ dns_kasp_setsigjitter(kasp, sigjitter);
+
sigrefresh = get_duration(maps, "signatures-refresh",
DNS_KASP_SIG_REFRESH);
dns_kasp_setsigrefresh(kasp, sigrefresh);
{ "publish-safety", &cfg_type_duration, 0 },
{ "purge-keys", &cfg_type_duration, 0 },
{ "retire-safety", &cfg_type_duration, 0 },
+ { "signatures-jitter", &cfg_type_duration, 0 },
{ "signatures-refresh", &cfg_type_duration, 0 },
{ "signatures-validity", &cfg_type_duration, 0 },
{ "signatures-validity-dnskey", &cfg_type_duration, 0 },
projects / thirdparty / bind9.git / commitdiff
